Skip to content

lore-server: Enforce repository write permissions#49

Open
s-zaizen wants to merge 1 commit into
EpicGames:mainfrom
s-zaizen:fix/repository-write-permissions
Open

lore-server: Enforce repository write permissions#49
s-zaizen wants to merge 1 commit into
EpicGames:mainfrom
s-zaizen:fix/repository-write-permissions

Conversation

@s-zaizen

@s-zaizen s-zaizen commented Jun 22, 2026

Copy link
Copy Markdown

Summary

Enforces repository permission claims for authorization and write paths in lore-server.

Repository authorization now requires a matching repository resource to include a read-like permission, and repository mutation paths require write, admin, owner.

Details

Repository authorization was based on whether a token contained a matching repository resource, but missing or empty permission lists were still treated as authorized. This allowed resource claims without repository permissions to pass authorization checks.

This updates the shared JWT authorization helpers and applies write checks across

  • gRPC revision, repository metadata, and storage mutation handlers
  • HTTP content writes
  • protocol storage put/copy/mutable operations
  • QUIC storage sessions and write commands

Testing

cargo +nightly fmt --all --check
cargo build
cargo clippy --all-targets -- -D warnings --no-deps
cargo test -p lore-server

@s-zaizen
Enforce repository write permissions
2f849f3 
Require explicit write, admin, or owner repository permissions before mutation paths across gRPC, HTTP, protocol storage, and QUIC.

Keep read authorization requiring read-like permissions so empty resource claims cannot grant access.

Signed-off-by: s-zaizen <s@zaizen.me>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@s-zaizen